DDLS-73 harden api image (#1475)

.github/workflows/_unit-tests-api.yml

@@ -41,6 +41,7 @@ jobs:
           --cache-from=type=local,src=/tmp/.buildx-cache \
           --cache-to=type=local,dest=/tmp/.buildx-cache-new \
           --tag api-unit-tests:latest \
+          --target ci-tests \
           --output type=docker .
 
       - name: Move cache

.github/workflows/_unit-tests-client.yml

@@ -38,7 +38,7 @@ jobs:
           --cache-from=type=local,src=/tmp/.buildx-cache \
           --cache-to=type=local,dest=/tmp/.buildx-cache-new \
           --tag frontend-unit-tests:latest \
-          --target testing \
+          --target ci-tests \
           --output type=docker .
 
       - name: run client unit tests

api/app/scripts/reset_db_fixtures.sh

@@ -3,5 +3,4 @@ set -e
 
 # We need below to create the params file on container start
 confd -onetime -backend env
-
-su-exec www-data php app/console doctrine:fixtures:load --no-interaction
+php app/console doctrine:fixtures:load --no-interaction

api/app/scripts/reset_db_fixtures_local.sh

@@ -4,5 +4,5 @@ set -e
 # We need below to create the params file on container start
 confd -onetime -backend env
 
-su-exec www-data php app/console doctrine:fixtures:load --no-interaction
-su-exec www-data php app/console doctrine:fixtures:load --no-interaction --env=test
+php app/console doctrine:fixtures:load --no-interaction
+php app/console doctrine:fixtures:load --no-interaction --env=test

api/app/scripts/reset_db_structure.sh

@@ -11,7 +11,7 @@ export SSL=${DATABASE_SSL:=allow}
 confd -onetime -backend env
 
 #Apply migrations to rebuild database
-su-exec www-data php app/console doctrine:database:drop --force --if-exists
-su-exec www-data php app/console doctrine:database:create
-su-exec www-data php app/console doctrine:migrations:status
-su-exec www-data php app/console doctrine:migrations:migrate --no-interaction -vvv
+php app/console doctrine:database:drop --force --if-exists
+php app/console doctrine:database:create
+php app/console doctrine:migrations:status
+php app/console doctrine:migrations:migrate --no-interaction -vvv

api/app/scripts/reset_db_structure_local.sh

@@ -11,12 +11,12 @@ export SSL=${DATABASE_SSL:=allow}
 confd -onetime -backend env
 
 #Apply migrations to rebuild database
-su-exec www-data php app/console doctrine:database:drop --force --if-exists
-su-exec www-data php app/console doctrine:database:create
-su-exec www-data php app/console doctrine:migrations:status
-su-exec www-data php app/console doctrine:migrations:migrate --no-interaction -vvv
+php app/console doctrine:database:drop --force --if-exists
+php app/console doctrine:database:create
+php app/console doctrine:migrations:status
+php app/console doctrine:migrations:migrate --no-interaction -vvv
 
-su-exec www-data php app/console doctrine:database:drop --force --if-exists --env=test
-su-exec www-data php app/console doctrine:database:create --env=test
-su-exec www-data php app/console doctrine:migrations:status --env=test
-su-exec www-data php app/console doctrine:migrations:migrate --no-interaction -vvv --env=test
+php app/console doctrine:database:drop --force --if-exists --env=test
+php app/console doctrine:database:create --env=test
+php app/console doctrine:migrations:status --env=test
+php app/console doctrine:migrations:migrate --no-interaction -vvv --env=test

api/app/scripts/task_run_console_command.sh

@@ -4,4 +4,4 @@ set -e
 # We need below to create the params file on container start
 confd -onetime -backend env
 
-su-exec www-data php app/console $1
+php app/console $1

api/app/tests/Behat/reset-db.sh

@@ -1,4 +1,4 @@
 #!/bin/sh
 set -e
 confd -onetime -backend env
-su-exec www-data php app/console doctrine:fixtures:load --no-interaction
+php app/console doctrine:fixtures:load --no-interaction

api/docker/app/Dockerfile

@@ -18,6 +18,7 @@ EXPOSE 80
 EXPOSE 443
 ENV TIMEOUT=20
 ENV PHP_EXT_DIR=/usr/local/lib/php/extensions/no-debug-non-zts-20210902/
+# Install required packages
 RUN apk --no-cache add \
     postgresql-dev \
     postgresql-client \
@@ -26,6 +27,7 @@ RUN apk --no-cache add \
     php81-pecl-igbinary  \
     php81-pecl-redis
 RUN apk update && apk upgrade
+# Install necessary PHP extensions
 RUN docker-php-ext-install pdo pdo_pgsql opcache
 RUN docker-php-ext-enable opcache
 # Install pcov for faster coverage tooling
@@ -53,29 +55,29 @@ ENV WAITFORIT_VERSION="v2.4.1"
 RUN wget -q -O /usr/local/bin/waitforit https://github.com/maxcnunes/waitforit/releases/download/$WAITFORIT_VERSION/waitforit-linux_amd64 \
     && chmod +x /usr/local/bin/waitforit
 
-# Create var folders
+# Create var directories
 RUN mkdir -p var/cache \
     && mkdir -p var/logs \
     && mkdir -p /var/log/app \
     && chown -R www-data var \
     && chown -R www-data /var/log/app
 
-FROM base
-COPY api/docker/app/confd /etc/confd
-COPY --from=composer /app/app app
-COPY --from=composer /app/vendor/bin bin
-COPY --from=composer /app/vendor vendor
-COPY --from=composer /app/composer.lock composer.lock
-COPY --from=composer /app/config/parameters.yml config/parameters.yml
-COPY api/app/app app
-COPY api/app/config config
-COPY api/app/public public
-COPY api/app/scripts scripts
-COPY api/app/src src
-COPY api/app/tests tests
-COPY api/app/api.env api.env
-COPY api/app/postgres.env postgres.env
-COPY api/app/phpstan.neon .
+FROM base as application
+COPY --chown=www-data:www-data api/docker/app/confd /etc/confd
+COPY --chown=www-data:www-data --from=composer /app/app app
+COPY --chown=www-data:www-data --from=composer /app/vendor/bin bin
+COPY --chown=www-data:www-data --from=composer /app/vendor vendor
+COPY --chown=www-data:www-data --from=composer /app/composer.lock composer.lock
+COPY --chown=www-data:www-data --from=composer /app/config/parameters.yml config/parameters.yml
+COPY --chown=www-data:www-data api/app/app app
+COPY --chown=www-data:www-data api/app/config config
+COPY --chown=www-data:www-data api/app/public public
+COPY --chown=www-data:www-data api/app/scripts scripts
+COPY --chown=www-data:www-data api/app/src src
+COPY --chown=www-data:www-data api/app/tests tests
+COPY --chown=www-data:www-data api/app/api.env api.env
+COPY --chown=www-data:www-data api/app/postgres.env postgres.env
+COPY --chown=www-data:www-data api/app/phpstan.neon .
 # Behat
 RUN mkdir -p /tmp/html
 RUN mkdir -p /tmp/sql
@@ -91,8 +93,22 @@ RUN su-exec www-data php -d memory_limit=-1 app/console cache:warmup
 
 RUN mkdir certs && chmod 755 certs && wget -O certs/eu-west-1-bundle.pem https://truststore.pki.rds.amazonaws.com/eu-west-1/eu-west-1-bundle.pem
 
+FROM application as ci-tests
+# We use this setup for certain commands as part of the CI processing of unit tests
+CMD confd -onetime -backend env \
+    && waitforit -address=tcp://$DATABASE_HOSTNAME:$DATABASE_PORT -timeout=$TIMEOUT \
+    && php app/console doctrine:migrations:migrate --allow-no-migration --no-interaction \
+    && php app/console doctrine:migrations:up-to-date \
+    && php-fpm
+
+FROM application as production
+COPY scripts/hardening/harden.sh /harden.sh
+RUN /harden.sh && rm /harden.sh
+
+USER www-data
+
 CMD confd -onetime -backend env \
     && waitforit -address=tcp://$DATABASE_HOSTNAME:$DATABASE_PORT -timeout=$TIMEOUT \
-    && su-exec www-data:www-data php app/console doctrine:migrations:migrate --allow-no-migration --no-interaction \
-    && su-exec www-data:www-data php app/console doctrine:migrations:up-to-date \
+    && php app/console doctrine:migrations:migrate --allow-no-migration --no-interaction \
+    && php app/console doctrine:migrations:up-to-date \
     && php-fpm

client/docker/app/Dockerfile

@@ -1,6 +1,6 @@
 FROM composer:2.5.7 AS composer
+
 WORKDIR /app
-RUN composer --version
 # Install composer dependencies
 COPY client/app/composer.json .
 COPY client/app/composer.lock .
@@ -19,6 +19,7 @@ ENV PHP_EXT_DIR=/usr/local/lib/php/extensions/no-debug-non-zts-20210902/
 # Install core PHP extensions
 RUN apk add --no-cache su-exec libzip-dev unzip php81-pecl-igbinary php81-pecl-redis php81-pecl-imagick gmp gmp-dev
 RUN apk update && apk upgrade
+# Install necessary PHP extensions
 RUN docker-php-ext-install pcntl zip opcache gmp
 RUN docker-php-ext-enable opcache
 # Install pcov for faster coverage tooling
@@ -83,11 +84,11 @@ RUN chown -R www-data:www-data scripts
 RUN su-exec www-data php -d memory_limit=-1 app/console cache:warmup
 
 
-FROM application as testing
+FROM application as ci-tests
+# We use this setup for certain commands as part of the CI processing of unit tests
 CMD confd -onetime -backend env \
     && php-fpm
 
-
 FROM application as production
 COPY scripts/hardening/harden.sh /harden.sh
 RUN /harden.sh && rm /harden.sh

docker-compose.yml

@@ -45,7 +45,6 @@ services:
         REQUIRE_XDEBUG: ${REQUIRE_XDEBUG_CLIENT} # set REQUIRE_XDEBUG_CLIENT=1 in .env to install Xdebug
         XDEBUG_IDEKEY_CLIENT: ${XDEBUG_IDEKEY_CLIENT}
     depends_on:
-      - resources
       - api-webserver
       - redis-frontend
       - htmltopdf
@@ -83,7 +82,6 @@ services:
         REQUIRE_XDEBUG: ${REQUIRE_XDEBUG_CLIENT} # set REQUIRE_XDEBUG_CLIENT=1 in .env to install Xdebug
         XDEBUG_IDEKEY_CLIENT: ${XDEBUG_IDEKEY_CLIENT}
     depends_on:
-      - resources
       - api-webserver
       - redis-frontend
       - htmltopdf